- Jan 8, 2011
- 22,361
Recent ESET research has uncovered details of the successor of the BlackEnergy APT group, whose main toolset was last seen in December 2015 during the first-ever blackout caused by a cyberattack. Around the time of that breakthrough incident, when around 230,000 people were left without electricity, we started detecting another malware framework and named it GreyEnergy. It has since been used to attack energy companies and other high-value targets in Ukraine and Poland for the past three years.
Links to BlackEnergy and TeleBots
A full list of Indicators of Compromise (IoCs): eset/malware-iocSome of the reasons ESET researchers consider BlackEnergy and GreyEnergy related are listed below:
- The appearance of GreyEnergy in the wild coincides with the disappearance of BlackEnergy.
- At least one of the victims targeted by GreyEnergy had been targeted by BlackEnergy in the past. Both subgroups share an interest in the energy sector and critical infrastructure. Both have had victims primarily in Ukraine, with Poland ranking second.
- There are strong architectural similarities between the malware frameworks. Both are modular, and both employ a “mini”, or light, backdoor deployed before admin rights are obtained and the full version is deployed.
- All remote C&C servers used by the GreyEnergy malware were active Tor relays. This has also been the case with BlackEnergy and Industroyer. We hypothesize that this is an operational security technique used by the group so that the operators can connect to these servers in a covert manner.
Read more: GreyEnergy revealed as successor to infamous BlackEnergy APT group
More: Cyber-espionage group GreyEnergy related to TeleBots exposed | ESET